1.环境准备

apt安装

sudo apt-get update -y

sudo apt-get dist-upgrade -y

sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev

sudo apt-get install -y build-essential bison flex

sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev libnghttp2-dev

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl libwww-perl 

sudo add-apt-repository ppa:ondrej/php

sudo apt-get update -y

sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6 php5.6-common php5.6-gd php5.6-cli php5.6-xml php5.6-mysql

sudo apt-get install -y php-pear libphp-adodb

wget从网站下载压缩包

wget https://www.snort.org/downloads/archive/snort/daq-2.0.6.tar.gz

wget https://www.snort.org/downloads/archive/snort/snort-2.9.9.0.tar.gz

wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz

wget https://github.com/shirkdog/pulledpork/archive/v0.7.3.tar.gz -O pulledpork-v0.7.3.tar.gz

wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz

wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

2.开始安装

(1)安装daq

tar -xvzf daq-2.0.6.tar.gz

cd daq-2.0.6

./configure

sudo make

sudo make install

(2)安装snort

tar -xvzf snort-2.9.9.tar.gz

cd snort-2.9.9

./configure --enable-sourcefire

make

sudo make install

测试

snort -V

创建用户环境

# Create the snort user and group:

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# Create the Snort directories:

sudo mkdir /etc/snort

sudo mkdir /etc/snort/rules

sudo mkdir /etc/snort/rules/iplists

sudo mkdir /etc/snort/preproc_rules

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /etc/snort/so_rules

# Create some files that stores rules and ip lists

sudo touch /etc/snort/rules/iplists/black_list.rules

sudo touch /etc/snort/rules/iplists/white_list.rules

sudo touch /etc/snort/rules/local.rules

sudo touch /etc/snort/sid-msg.map

# Create our logging directories:

sudo mkdir /var/log/snort

sudo mkdir /var/log/snort/archived_logs

# Adjust permissions:

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /var/log/snort/archived_logs

sudo chmod -R 5775 /etc/snort/so_rules

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# Change Ownership on folders:

sudo chown -R snort:snort /etc/snort

sudo chown -R snort:snort /var/log/snort

sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

复制配置文件

cd ~/snort-2.9.9/etc/

sudo cp *.conf* /etc/snort

sudo cp *.map /etc/snort

sudo cp *.dtd /etc/snort

cd ~/snort-2.9.9/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/

sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

注释掉snort.conf中引用的规则文件,换为PulledPork

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

修改snort.conf的配置

sudo vi /etc/snort/snort.conf

#第45行,ipvar HOME_NET修改为本机的内部网络

ipvar HOME_NET 192.168.89.138/24

#第104行,设置以下配置文件路径

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists

var BLACK_LIST_PATH /etc/snort/rules/iplists

#第521行添加

# output unified2: filename merged.log, l imit 128, nostamp, mpls event types, vlan event types }

output unified2: filename snort.u2, limit 128

#第546行取消注释,启用local.rules文件

include $RULE_PATH/local.rules

添加本地规则

sudo vi /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP Test detected!!!"; classtype:icmp-event; sid:10000001; rev:001; GID:1; )
sudo vi /etc/snort/sid-msg.map

1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

测试配置文件

sudo snort -T -c /etc/snort/snort.conf -i eth1

测试功能,此时从外面ping网口ens32的IP,snort会记录受到攻击,信息保存在/var/log/snort中,文件名为snort.log.xxx

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens32

3.安装Barnyard2

解压编译

tar zxvf barnyard2-2-1.13.tar.gz

cd barnyard2-2-1.13

autoreconf -fvi -I ./

# Choose ONE of these two commands to run

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu

./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

sudo make

sudo make install

测试

barnyard2 -V

配置文件

sudo cp ~/barnyard2-2-1.13/etc/barnyard2.conf /etc/snort/

# the /var/log/barnyard2 folder is never used or referenced

# but barnyard2 will error without it existing

sudo mkdir /var/log/barnyard2

sudo chown snort.snort /var/log/barnyard2

sudo touch /var/log/snort/barnyard2.waldo

sudo chown snort.snort /var/log/snort/barnyard2.waldo

配置数据库

ubuntu@ubuntu:~$ mysql -u root -p

mysql> create database snort;

mysql> use snort;

mysql> source ~/barnyard2-2-1.13/schemas/create_mysql;

mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';

mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';

mysql> exit;

添加数据库位置

sudo vi /etc/snort/barnyard2.conf

#在末尾添加数据库配置

output database: log, mysql, user=snort password=123456 dbname=snort host=localhost sensor name=sensor01

测试,开启snort,并向ens32发送ping数据包

sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens32
# 开启barnyard2,将日志信息存入数据库

# 1.连续处理模式,设置barnyard2.waldo为书签

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

# 2.文件处理模式,处理单个日志文件

sudo barnyard2 -c /etc/snort/barnyard2.conf -o /var/log/snort/snort.u2.xxx
# 查看数据库条目数量,看是否增加

mysql -u snort -p -D snort -e "select count(*) from event"

4.安装PulledPork

解压安装

tar xzvf pulledpork-v0.7.3.tar.gz

cd pulledpork-v0.7.3/

sudo cp pulledpork.pl /usr/local/bin

sudo chmod +x /usr/local/bin/pulledpork.pl

sudo cp etc/*.conf /etc/snort

测试

ubuntu@ubuntu:~$ pulledpork.pl -V

PulledPork v0.7.3 - Making signature updates great again!

配置文件更改

sudo vi /etc/snort/pulledpork.conf

#第19行:输入注册账户生成的oinkcode,若没有则注释掉

#第29行:取消注释可下载针对新兴威胁的规则

#第74行:更改为:

rule_path = /etc/snort/rules/snort.rules

#第89行:更改为:

local_rules = /etc/snort/rules/local.rules

#第92行:更改为:

sid_msg = /etc/snort/sid-msg.map

#第96行:更改为:

sid_msg_version = 2

#第119行:更改为:

config_path = /etc/snort/snort.conf

#第133行:更改为:

distro = Ubuntu-12-04

#第141行:更改为:

black_list = /etc/snort/rules/iplists/black_list.rules

#第150行:更改为:

IPRVersion = /etc/snort/rules/iplists
sudo vi /etc/snort/snort.conf

#第548行添加

include $RULE_PATH/snort.rules

更新测试规则

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

sudo snort -T -c /etc/snort/snort.conf -i ens32

5.创建服务

snort服务

#创建服务配置文件

sudo vi /lib/systemd/system/snort.service

[Unit]

Description=Snort NIDS Daemon

After=syslog.target network.target

[Service]

Type=simple

Restart=always

ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1

[Install]

WantedBy=multi-user.target

#设置开机启动

sudo systemctl enable snort

#启动服务

sudo systemctl start snort

#检查服务状态

sudo systemctl status snort

Barnyard2服务

#创建服务配置文件

sudo vi /lib/systemd/system/barnyard2.service

[Unit]

Description=Barnyard2 Daemon

After=syslog.target network.target

[Service]

Type=simple

Restart=always

ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs --pid-path=/var/run

[Install]

WantedBy=multi-user.target

#设置开机启动

sudo systemctl enable barnyard2

#启动服务

sudo systemctl start barnyard2

#检查服务状态

sudo systemctl status barnyard2

6.安装BASE

解压后获得网站目录,移到apache2目录

tar xzvf base-1.4.5.tar.gz

sudo mv base-1.4.5 /var/www/html/base/

配置

cd /var/www/html/base

sudo cp base_conf.php.dist base_conf.php

sudo vi /var/www/html/base/base_conf.php

$BASE_Language = 'chinese'; # line 27

$BASE_urlpath = '/base'; # line 50

$DBlib_path = '/usr/share/php/adodb/'; #line 80

$alert_dbname = 'snort'; # line 102

$alert_host = 'localhost';

$alert_port = '';

$alert_user = 'snort';

$alert_password = '123456'; # line 106

// $graph_font_name = "Verdana";

// $graph_font_name = "DejaVuSans";

// $graph_font_name = "Image_Graph_Font";

$graph_font_name = "";

sudo chown -R www-data:www-data /var/www/html/base

sudo chmod o-r /var/www/html/base/base_conf.php

sudo service apache2 restart

测试

浏览器输入localhost/base

点击Create BASE AG

ubuntu1804 snort base的更多相关文章

  1. 在Windows环境下搭建Snort+BASE入侵检测系统

    操作系统: Windows 7 (service pack 1) 所需软件: 虚拟机:VirtualBox 网络数据包截取驱动程序:WinPcap 4.1.3 (WinPcap_4_1_3.exe) ...

  2. Linux 上搭建 Snort+BASE 入侵检测系统

    配置实验环境 由于本人电脑的存储空间不足,无法再承担安装一个虚拟机的开销,因此在阿里云上申请了一个云服务器进行本次实验.服务器配置如下: 1 核 - 2GB 内存 - 40GB 系统盘 操作系统:Ub ...

  3. centos平台基于snort、barnyard2以及base的IDS(入侵检测系统)的搭建与测试及所遇问题汇总

    centos平台基于snort.barnyard2以及base的IDS(入侵检测系统)的搭建与测试及所遇问题汇总 原创 2016年12月19日 01:20:03 标签: centos / snort  ...

  4. 基于CentOS6.5下snort+barnyard2+base的入侵检测系统的搭建(图文详解)(博主推荐)

    为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物理机器环境实验室的大数 ...

  5. 基于Windows7下snort+apache+php 7 + acid(或者base) + adodb + jpgraph的入侵检测系统的搭建(图文详解)(博主推荐)

    为什么,要写这篇论文? 是因为,目前科研的我,正值研三,致力于网络安全.大数据.机器学习.人工智能.区域链研究领域! 论文方向的需要,同时不局限于真实物理环境机器实验室的攻防环境.也不局限于真实物理机 ...

  6. [IDS]CentOS6.6下搭建基于snort+barnyard2+base的入侵检测系统,超详细!!!

    最详细的CentOS6.6下搭建基于snort+barnyard2+base的入侵检测系统免责声明一.如果因为使用本文档照成损失(系统崩溃.数据丢失等),作者不承担任何责任.二.本文档只是个人使用本文 ...

  7. 基于snort、barnyard2和base的 网络入侵检测系统的部署与应用

    1.项目分析 1.1.项目背景 伴随着互联网产业的不迅猛发展,新兴技术层数不穷,互联网通讯技术逐渐成为了各行各业不可替代的基础设施,越来越多的业务都是依靠互联网来得以实现.随着我国科技产业的飞速发展, ...

  8. Aho-Corasick算法、多模正则匹配、Snort入门学习

    希望解决的问题 . 在一些高流量.高IO的WAF中,是如何对规则库(POST.GET)中的字符串进行多正则匹配的,是单条轮询执行,还是多模式并发执行 . Snort是怎么组织.匹配高达上千条的正则规则 ...

  9. 配置snort

    0.如果要输出到mysql,请安装barnyard2 在此之前,请启动并配置mysql git clone https://github.com/firnsy/barnyard2 cd barnyar ...

随机推荐

  1. 深入了解Redis【一】源码下载与参考资料准备

    引言 一直在使用redis,但是却没有系统的了解过它的底层实现,准备边学习边记录,深入了解redis. 打算分析以下几个方面: redis的基本类型及底层原理与java对比,每种数据类型的使用场景 r ...

  2. 模拟CMOS集成电路 课后习题总结(2.1)

    前几天开始自学拉扎维的模设教材,看之前浏览了EETOP论坛里面好多大神们对这本书的看法,当然也有人在抱怨,比如冒出“太科幻”.“一年才看完”之类恐怖的修饰语句,因此在开始看的时候就对此书充满了“敬畏” ...

  3. WinMTR 网络测试工具-九五小庞

    WinMTR(建议优先使用) 百度下载工具 链接:https://pan.baidu.com/s/19ArKSTA2amsa4p6vHegDIQ 提取码:cy4y WinMTR是mtr工具在Windo ...

  4. 1dialog 表单最基本的封装

    <!-- --> <template> <el-dialog :visible.sync="defaultConfigDialogAdd.dialogVisib ...

  5. [Python]打印指定目录下所有子目录

    import os for root,dirs,files in os.walk(r"/home/os-hy01"): for dir in dirs: print(dir) -- ...

  6. Nice to meet you

    Who am i 详情可以参见我的这一篇博文 Why and how 其实之前就想在博客园开创自己的博客了,但是自己之前已经利用自己的GitHub搭建了一个 博客,然后的话自己写的文章即水又不多,说到 ...

  7. 滴滴AR实景导航背后的技术

    桔妹导读:机场.商场.火车站等大型室内场所内GPS信号不稳定.室内面积大.路线复杂.用户判断方向难等问题,给在大型场所内发单的乘客找上车点带来了很大的挑战,用户急需一种操作简单.交互友好的引导功能.本 ...

  8. IDEA下Git分支开发

    IDEA下Git分支开发使用 1.新建本地开发分支 VCS-->git-->branches-->New Branch,输入分支名字,如branch_test,点击OK后本地开发分支 ...

  9. JVM-虚拟机执行子系统

    类的加载由JVM执行引擎来完成 早期--编译期:源代码文件*.java -> 词法分析器 -> tokens流 -> 语法分析器 -> 语法树/抽象语法树 -> 语义分析 ...

  10. Java面试知识点1

    typora-root-url: ......\Software\Typora\Picture Bean的作用域 在Spring的元素的scope属性设置bean的作用域,用来决定bean是单实例还是 ...